As others have mentioned this is likely one of a couple of scenarios, roughly ordered by my guess on likelihood:
- Attempting to use your legitimate content and services to improve the SEO rank of other domains (even unrelated ones). This can usually be checked by looking for a sitemap.xml, there will be pages not redirected to your site that contain pages of links.
- Closely following the above, the pages may not be links to other sites but might be hosting phishing pages for other services unrelated to yours. The redirect here acts as a bluff for casual inspection of the domain. You won't see page entries in a sitemap.xml file for these ones.
- Attempting to "age" a domain. Not many talk about this option, but new domains are a red flag to a lot of automated security processes. When purchasing a domain and giving it a history associated with a legitimate service they make the domain look less suspicious for future malicious use.
- Preparation for a targeted campaign. This is pretty unlikely, you need to be really worth a dedicated long term campaign effort specifically against you or your company. If you're doing controversial/novel research, are managing millions of dollars, performing a service a state actor would object to, or have high profile clientele then maybe you fall into this category. These are patient campaigns and want to make the domain "feel normal and official". They won't do anything public with the domain such as SEO tweaking or link spam, they'll use these domains only for specific targeted one-off low-noise attacks. They're relying on staff to see that the domain has been connected to your service for years and is likely just a domain someone in marketing purchased and forgot about. This is exceptionally rare.
Regarding point two, OP should connect to a VPN in Japan or somewhere he very isn't, use incognito mode, and see if the same content is served. I've seen hacked sites that are set up to serve normal content to where the attacker thinks the owner of the site lives, but serve phishing content or malware or whatever to everywhere else.
A 301 fits that bill because then the owners browser even when traveling will serve the good content
Can you get Google Safe Search to do that? I feel like my reports fall on deaf ears because SMS spammer's URLs would only serve 'bad' pages to $MyCountry (and nowadays do it behind a captcha, fuck you hcaptcha).
I have seen attacks where directly visiting the site doesn't show anything out of the ordinary, but visits coming from Google (referer) show different content. Have also seen ones where only User-Agent: Googlebot would see the modified version of the site.
(I doubt that is the case in OP's situation, but I have seen both of those methods of "hiding" multiple times now)
Yes, this is how most Wordpress malware works - they inject/publish ad or keyword spam content on the site if the user agent is googlebot. Regular users don't get the ads. It's partially why most people never realise their site has been hacked.
Or, try a mobile user-agent. I've seen loads of phishing pages that will only serve their malicious payloads to phones - this is especially common with the scams that are sent via SMS.
Yeah this is a good call-out. If the site is being used for drive-by or targeted malware there are other checks that may be happening alongside the redirect such as user agent, country of origin (like you mentioned), plugins installed, OS, or even time of day.
If they detect something that matches what they want, they may throw some intermediate 301's to pages that attempt to infect the user with something still ultimately redirecting to the "normal" page.
Just a note 301s are super sticky and browsers cache them even across incognito modes. Your best bet is to use a new browser after reconnecting to avoid false results.
On Chromium-based browsers, if you open the Developer Tools (F12 or Inspect in right click) and you go to the Network tab, you can click 'Disable Cache'.
In my experience, this solves the sticky 301 issue and you should have no issues with cached 301s anymore.
Works perfect for these kind of investigations or if you made a mistake during site development.
I'm not GP but a decade ago when I started out as a web developer I made the mistake of using 301s in production and at the time we never figured out how to get the browser to re-learn the responses for those pages without drastic measures.
I still never use 301s for that reason. Things may have changed, but I dare not try!
> I still never use 301s for that reason. Things may have changed, but I dare not try!
I use 301 for http:->https: redirects because (a) I doubt we're going back, (b) it prevents some cleartext leaks (like the Host header), and (c) it is slightly cheaper.
> we never figured out how to get the browser to re-learn the responses for those pages without drastic measures.
If you control the target URL it is easy, just redirect back. Seriously: The browser won't loop, it'll just fetch the content again and now not seeing a 301 will forget that nonsense ever happened. This is why 301 is usually a fine default for same-site redirects, or if the redirect target is encoded in the URL (such as in tracking URLs).
The big no-no is don't 301 to a URL you can't control unless you have the appropriate Cache-Control headers on the redirect.
Yeah that's a good point, but one way to think about a CDN is like a web browser that you control, so I say do it even with a CDN and remember you can always just flush the "browser" cache! (or in cloudfront's case: create an invalidation and wait a few seconds)
You can disable caching in Firefox's developer tools, this covers such cached redirects. Very useful combined with a persistent log of network activity to avoid clears after redirects.
There's a related site compromise where a hacked webserver behaves normally except, when the referrer is google.com, it adds a JavaScript redirect to the end of any page.
You go to example.com, everything looks normal. You click a link to example.com, you end up on a page selling herbal dick pills. Site owner yells at Google thinking it's their fault. Googlebot never gets served the redirect.
You should be able to do the same thing with 301 redirects.
OP, you can search for "site:getexample.com" which will list you any pages that have been indexed for that domain. They might have just redirected the homepage. Worth a shot.
Just speculating here, but would it be possible that the redirecting domains could actually overtake the original site in terms of search rank, etc? If yes, this could be preparation for a semi-targeted phishing campaign:
1) set up plausibly-named fake domains that redirect to example.com
2) ensure that the fake domains rank higher than the original domain for "example" searches.
3) after a while, people have gotten used to accessing the service through the fake domains or might even think those are the official domains.
4) pull up the net by replacing the redirect with phishing pages. Suddenly, everyone googling for the service will end up on a phishing site, without any obvious way to fix the situation.
Phishers could also run this scheme for lots of sites in parallel, without needing to have some specific interest in any of them.
Edit: Seems like the semantics of the 301 redirect should prevent this from working though.
It could be a combo of 1 and 3: a competitor (or someone who thinks they might be in the future) ages those domains, then points it to their own product later.
This is another great call-out and semi-common. I can definitely get blinded by my security focus but shady business tactics drive a lot of these similar domain purchases for exactly the reason you described.
Bait and switch? Get users t bookmark the joinexample.com, and the others, and once they notice that people keep going to your side via their domain names, they will switch, make a fake "change password" and will be ripped off.
one another scenario is that if you open the domain from browser, they will do 301 redirect, but for traffic coming from Google/search engine, they will show their actual content.
I'd add canonical link elements to your html and http headers in order to reduce the chances of subversion somehow. The whole thing feels really weird to me.
I'll add another scenario I've personally experienced:
- Reaching out in good-faith with an offer to sell the domain to you. I've had that happen in the past and before receiving the email the person directed the domain to my official website to show good will. I purchased the domain and now own it.
Not saying this is the case here, but just wanted to throw a legitimate scenario into the mix. They should have reached out by now if this was the case.
Their play is to send emails with those domains but in the emails claiming to be you and when people reading the email go to the domain, they see your page (they got redirected).
Wow. Yeah that's genius. It would definitely catch me as I just visit the domain to see if it's legit and don't think about redirects. e.g. gogle.com -> google.com
Nothing new. I used to create fake, for example, myspace login pages, host them somewhere, harvest the credentials then redirect back to myspace.com login
They'll weaponize them at some point. How exactly is to be seen, but if people associate your product with domains you do not control (e.g. via SEO searches and hyperlinks left in public places), then everyone is on the hook the moment these domains stop redirecting to your service.
I'm sure I don't really have to point this out, but...
The last thing you would ever want to do is associate your domain name with gross, offensive content like this. The web is crawled all the time for snapshot data.
Additionally, you're more likely to cause your own (potential) users to stumble on this than anything else.
IMO, the best policy is almost always transparency. If you were to redirect users (and referrer-based redirects are a fragile thing), send them to a phishing/spam awareness page and explain that they most likely arrived from such a source.
It’s possible `/` redirects but other hidden routes phish. If someone gets e.g.: a fake password reset email, it might help the attacker bypass sanity checks users make.
If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.
Just had a look - it appears you’ve got nine .com domains registered with your brand name in the same second on GoDaddy: explore/get/join/meet/my/team/the/tryEXAMPLE.com and EXAMPLEconnect.com.
The Cloudflare redirect likely has GoDaddy underneath, based on what’s visible at myEXAMPLE.com/lander and others.
Half of the domains are set for Outlook Mail, the other for Google Mail which points to a potential email game.
It doesn’t make things safer that your brand name is a top-400 frequency word in one of the European languages. Not owning your .com and having a dozen businesses with similar names just compounds the risk.
What to do really depends on the specifics of your case, including trademark and competition factors. If you’re stuck, feel free to ping me at aghackernews [at] gmail.
Another possibility: Does your example.com point to something with an ideological or humanitarian goal?
There was a humanitarian charity I've donated to, and I saw people erroneously linking to the wrong URLs when spreading news of it. (Say, `foobar.org` and `boofar.com` when the charity is at `boofar.org`.)
So, I just bought the URLs and had them redirect to the correct URL, before a bad actor could snap them up.
They might be trying to create toxic back links to their domains and if those domains 301 to your domain, I believe this can negatively impact the SEO of your domain (from what I read). If so you can try to disavow them https://support.google.com/webmasters/answer/2648487?hl=en
Phishing. Regular visits to these domains will 301 redirect them to you, but there's at least one URL that will instead be handled by the scammers themselves.
They'll then send out an email campaign with a From: address in the counterfeit domain (which will have valid SPF/DKIM/whatever), a subject like "Example.com: You've been invited to join a project!", quickly-come-see-this-secret-stuff body copy, and a call-to-action button linked to that URL.
The page hosted on the URL will have your branding and everything, and collect a bunch of personal information and/or access credentials for the scammers.
Taking down this stuff is tedious, but you can try -- least you can do for now is display a prominent 'this is not an authorized example.com domain' warning for inbound visits from these redirects, create a public Knowledge Base-like article warning about this abuse as well (making very clear this has nothing to do with you), and block the domains involved on your inbound mail server.
Silver lining: apparently your SaaS is successful enough to be used as a lure for scammers. Congrats?
I did this for a fraudulent health product. They had .org but not .com. Registered .com and redirected it. Waited for SEO to pick up on it. Created the page calling it out as fraud. Created some social media accounts and put the .com in the about info. Started commenting on their posts, anyone that looked at the fake profiles would find my page with info on why it was fraudulent.
I think you can check the HTTP_REFERER header and block the redirect using your back-end code, like PHP or Node or Python, not sure what tech stack you are using.
The right play might be to have a custom landing page or header / popup on your site indicating that they were referred by a fraudulent domain, and to please bookmark your proper domain / report if this was via an email link. The traffic might be good, just coming in through a bad actor.
If somebody is using your website to phish, it almost certainly means they are targeting people who legitimately want your services. It is an executive decision, but I personally would let people know, and take the free advertising.
Redirecting back to the referer will not create a redirect loop. The referer is the URL of the site that linked to the redirect, not the redirect itself. The redirect does not alter the referer in any way. In many cases, there will be no referer at all.
I don't know why everyone seems to think that HTTP redirects are visible in Referer (or Origin or any other header), but that's just not the case: HTTP redirects are completely transparent to the destination server.
> I don't know why everyone seems to think that HTTP redirects are visible in Referer
They would be if it's a same-origin redirect, no? And I was under the impression that 3xx also set it cross origin (barring a referrer-policy header), though I'm less confident now. (I can't test it ATM).
Edit: I am clearly confused. The browser preserves the original referer when performing a 3xx, as you said.
IMHO you should take action ASAP - at the cost of sacrificing all traffic coming from them. Regardless of their endgame, I'd just detect the HTTP referer and redirect back to them: crawlers and browsers will detect the redirect loop and happily complain about their domain. This will render their redirects ineffective, eg. any phishing attempt will have broken links.
This is preferable rather than returning 404, 403, or warning users something fishy is going on - since anything you return from your site will have browsers and crawlers complaining about your site, and your URL/contents might suffer penalties or deindexing as a result.
Edit: as others have noted, the HTTP referer is not really useful most of the time - if at all (though legitimate, known good referrers may exist).
So what's left is 1) filing a DMCA request with their registrar and 2) hosting provider, 3) checking offending inbound links and using Google’s Disavow Links tool. And if they're plagiarizing some contents, also 4) asking Google to remove infringing pages from their index. I had to do the latter a few years ago.
If you navigate straight to bad-domain.com which redirects to good-domain.com, there will be no referer at all.
If you click a link on red-herring.com which points to bad-domain.com, which then redirects to good-domain.com, the referer will be red-herring.com (if not disabled entirely).
I just tested on firefox and it doesn't send the "Origin" header when using referrerpolicy="no-referrer". It's also not present when navigating using the url bar directly.
I didn't say it was. Browsers display an alert when full-screen mode is activated. Full-screen mode isn't a security feature, but the browser does something the website developer can't control so that users can conclude that something fishy isn't going on. I think the ability for one website to hide that they've redirected to another is a vulnerability.
I'm inclined to agree that websites should know when they're the target of a redirect but that has nothing to do with Referer! That header does not work the way so many seem to think it does. As I've laid out elsewhere in this thread, HTTP redirects do not show up in Referer under any circumstances. Right now, one site doesn't have to do anything to "hide" that it's part of a redirect chain, since there's no tracking of that chain to begin with.
Yes, phishing. It might happen in the future, it could be happening right now, emails from getexample.com, a specific path on getexample.com that doesn't redirect to the real thing, etc.
File a DMCA with the registrar and the hosting provider.
Don't have an affiliate program, and I don't think we've got anything to suggest we will have one in the future (frankly our billing process is pretty bare bones and affiliate stuff isn't something we're looking at right now).
We're a small bot security/captcha company and pretty regularly get various attacks thrown at us - figuring out if somebody is up to something more along those lines was my main concern.
I’ve seen one or two domains like that serving 301s to some IPs and their own website to others. This could be a 1000:1 ratio. Then they serve an absolutely ad-infested parking page-style website to those others. And that’s how they skim a little bit of revenue off your customers.
They may also represent you to real life businesses for invoice scams or credit.
I don't know if it still happens, but Google used to have an issue that I would see in Verbatim mode whereby non-Wikipedia domains would rank as particular Wikipedia pages by redirecting to Wikipedia. I can't seem to replicate it now, so it might be resolved or vary from country to country.
I posted about it at the time, but no one seemed to be able to replicate it:
Just had a look - looks like pretty regular/reasonable cloudflare default stuff as far as I can tell. The headers relating to error reporting are the only thing that stand out a little, though it doesn't look unreasonable.
If you are seeing 301s logged on your end that is your site redirecting to another one.
There isn’t a way to see what a referring site did to do the redirect (301 or 302 or even a js redirect) in your logs. All you’ll see is (potentially) the Referer http header.
It’s likely an attempt to steal usernames and passwords for privilege escalation. I had a large corporate client who faced a very similar issue. In their case, the scammer not only registered similar domains but also created Google Ads campaigns targeting those domains. It’s worth investigating further and taking preventative measures to protect your brand and users.
I don't have the slightest clue about your case, a business,
I have done this once in the past, for a sort of community project. the project was at example.org and I had a VPS with a free domain I didn't use, so I had the example.[something] pointed there for a couple years. Basically just white-hat domain squatting it so no one else snags it up.
In a higher chance, they want to nuke your website, because too many 301 can be harmful to SEO in some rare cases.
If they want to sell you sth, or scam, they won't do 301, because after 301 the juice power will gradually move to your domain, and its pointless to do this before any scams and sales.
Lots of answers about why, and it could be one or many of them. Scammy reasons likely.
A somewhat innocent reason could be that someone sent a newsletter email or shared a link to your site, but mistyped the URL, so to save their users from getting NXDOMAIN errors l, or even worse, someone registering it with illintentions, they registered and 301 redirected to you.
Whatever their plan - if you have a trademark or similar IP protection on "Example", that might be prove extremely useful here. (If not - consider getting some protection ASAP.)
It's been a while, and IANAL - but I've seen both domain resellers and registrars cave pretty quickly when contacted with "that name very obviously infringes on our trademark".
Use your legitimate site to boost the SEO rank of unrelated domains.
Create toxic backlinks that harm your domain’s SEO ranking if not properly disavowed.
----- Phishing Campaigns:
Send emails with their domains (e.g., fake password reset or invite emails) claiming to be you, redirecting users to phishing pages masquerading as your brand.
Serve phishing content to users based on conditions such as geography, user agent, or time of day.
----- Domain Aging:
"Age" their domain by associating it with your legitimate service to make it appear trustworthy for future malicious activities.
Targeted Malware:
Use redirects to detect vulnerable users and deliver malware or drive-by attacks to those targets while serving legitimate content to others.
Regional Phishing or Malware Delivery:
Redirect normal traffic to your site while targeting specific regions for phishing or malware, avoiding detection for longer periods.
----- Hijacking Search Results:
Build up search engine traffic for their domains by associating them with your brand and later weaponize the domains (e.g., for phishing or fraud).
Affiliate Fraud:
Redirect traffic with an affiliate ID (if you use affiliate links), attempting to claim commissions fraudulently.
Brand Impersonation:
Use domains similar to your brand to impersonate your service, potentially harming your reputation.
----- Extortion/Domain Ransom:
Build traffic or search relevance on their domains and later attempt to extort money from you by offering to stop the redirect or sell the domain.
----- Invoice Scams:
Represent your service fraudulently to businesses for invoice scams or credit fraud.
----- Bypass Sanity Checks:
Use 301 redirects to bypass user sanity checks, tricking users into believing they are visiting legitimate sites.
---- Traffic Monetization:
Use ad-infested parking pages for a fraction of the traffic and redirect the rest to your site to generate revenue.
----- Reputation Damage:
Cause your brand to be associated with scam or phishing domains, which can harm public perception and trust.
----- Legal Liability:
Misuse of your brand or domain to commit fraud could lead to potential legal complications for you.
----- False Phishing Reports:
Cause false flags in phishing reports, harming your brand credibility and delaying the takedown of malicious domains.
Hidden Routes for Malicious Content:
Redirect general traffic to you while hosting specific malicious routes (e.g., URLs hosting phishing or malware).
----- Impersonation via Emails:
Send emails claiming to be your service, and when users visit the domain, they see your page after a redirect, adding legitimacy to the scam.
----- Scam Awareness Manipulation:
Target your traffic by hosting fraudulent educational content or warnings related to your domain to sow distrust.
This feels like a never-ending cat and mouse activity, but depending upon your hosting infrastructure, you ought to be able to maintain a list of these domains and 403/404 incoming requests that are being referred from the list. Better to just dump them to an error / scam warning page than 301 them out to somewhere else (to avoid redirect loops)
This sounds very plausible. Then if they click on their link or manually type in the website corresponding to the e-mail address, it goes to your (very official) site.
Of all the answers presented so far, this one feels the most plausible to me.
it can bypass some whitelisting if you for example have redirects checking if address is example.com but validation is poorly written ("startswith", "contains") , on login page or anywhere else.
Could be for phishing. Is the SAAS in a domain that involves money (payments/crypto etc) ? Then even more likely so. I would drop those redirects at my webserver level. Easy to d0.
If you know that is happening with HTTP you can redirect those requests, based upon origin, to a honeypot of your choosing. It’s free traffic you didn’t have to work for to use as you wish without disruption to your business requirements. You can use that traffic to experiment with new features under experimental branding, AB testing, and more.
The malicious website can stop the Referer header from being sent by setting the Referrer-Policy header to "no-referrer". Also, redirects apparently wouldn't include a Referer header any way, according to kbolino's comment.
First of all you shouldn't rely on HTTP headers for traffic identification as that makes a bunch of assumptions. Secondly, look at the example 301 on MDN which contains no identifying information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301
Redirected traffic is coming from one or more dedicated locations performing the redirection. The source of redirection is still identifiable by IP address. So, if you know the traffic is coming from the a given IP and is a 301 you have all you need. Even after that the identified traffic, if not bots, can then be further tracked via a variety of client-side things like cookies and localStorage.
I don't think that's correct. If server A redirects to server B, then server B does not obtain the IP address of server A, only the IP address of the client. Also, the client does not send a "301 request" to server B, it sends a normal GET request. The 301 code only applies to responses, not requests.
Not a lawyer. Your claim to copyright the term used by your SaaS depends on the website you registered, unless you officially copyrighted the term. Someone having all those websites can also claim the copyright, or claim you didn't enforce it by asking the other websites to be removed.
I can answer this one because it was one of my dirtier SEO tricks.
Expired domains and Domains on the marketplace, with hundreds or thousands of “backlinks” to them, are valuable. In the listing you may see something like “20000 back links.” And those links are usually worthless , spam, and will vanish as soon as you buy. But you can find domains that have real backlinks. TEN backlinks from reputable websites are more valuable than a thousand spam BLs.
You used to be able to buy and run software , “backlinks explorer” to investigate everyone who links to a domain you’re thinking about buying. And you can also research a “20000 backlinks” claim to see if this is just someone spamming that domain all over blogger and forums.
A good domain to buy will have legit backlinks from real websites that the website linked on purpose. If it’s been spammed thousands of times for a “5000 backlinks claim” , expect google to punish it!
Because if you 301 them to your site, google et al assume you’re the legitimate successor to that website and people mean to link to you.
So you come up higher in search.
I’ve used this to be the first or second result on google. And certainly on the first page of results.
It overcomes downranking for being a new domain nobody links to.
Google has its own criteria for evaluating whether your page is spam or a scam, and whether you’re abusing this to promote spam or a scam.
I have a trio of ancient highly ranked domains that I forward to a new page for about a year.
They’ll hit page one on google within a week or two or three.
After I remove the 301s or recycle those domains, the pages usually still come up within the first page of results afterwards.
Before you get too horrified here, I did this to bury a “competitor” who had registered a similar domain name, stolen my entire repo and website from a disgruntled employee, copied all my software and copied my webpage word for word trying to drum up business on my IP. The whole time they mocked me in email about stealing my customers and putting me out of business.
It worked. (Sort of. If you hire them they don’t actually have any idea how to do what I do.)
I did not do this to scam or phish or what have you. I just did this to bump them from #1 on google. Which they got by incorporating with a similar business name and registering with a similar URL.
They did ultimately manage to shut that business down and disrupt it after years of this and I moved on because I have other talents and this venture wasn’t profitable enough to deal with this entity kneecapping me for years and years.
But on my way out, I forwarded all of those domains to a reasonable and legitimate website that’s in the same line of work, resulting in them now dominating the other site in search. So I walked away and used this trick one last time to at least ensure someone searching for this subject would end up in some safe and reasonable hands.
What’s my point in sharing this?
It’s that the other website has no idea I did this, and has no control over it. You might see this and assume the worst about the other website.
someone could be doing this to manipulate SEO or search results over sites they don’t even own. For reasons that might (?) make sense or be well intended.
and for reasons that don’t, or might even be malicious.
People do this for SEO purposes. They think that this increases the amount of backlinks to their site, thus increasing their rank in Google and other search engines.
This is less true than it used to be, but people still do it.
Just feels like such an odd play lol. If they could organically generate leads/traffic that I'd be willing to get extorted over, then surely they would also have the means to start a marketing agency that I'd be willing to pay far more for?
The fraudulent domains are only sending traffic to OP.
My guess is that they want to either phish visitors, or they want to ask OP for affiliate revenue, like a digital version of the guys who wash your windshield or your shoes without asking first, and then ask for money.
Or planning to threaten to divert organic traffic through the impersonation domains away from the canonical domain, if you don't pay them.
As others have mentioned this is likely one of a couple of scenarios, roughly ordered by my guess on likelihood:
- Attempting to use your legitimate content and services to improve the SEO rank of other domains (even unrelated ones). This can usually be checked by looking for a sitemap.xml, there will be pages not redirected to your site that contain pages of links.
- Closely following the above, the pages may not be links to other sites but might be hosting phishing pages for other services unrelated to yours. The redirect here acts as a bluff for casual inspection of the domain. You won't see page entries in a sitemap.xml file for these ones.
- Attempting to "age" a domain. Not many talk about this option, but new domains are a red flag to a lot of automated security processes. When purchasing a domain and giving it a history associated with a legitimate service they make the domain look less suspicious for future malicious use.
- Preparation for a targeted campaign. This is pretty unlikely, you need to be really worth a dedicated long term campaign effort specifically against you or your company. If you're doing controversial/novel research, are managing millions of dollars, performing a service a state actor would object to, or have high profile clientele then maybe you fall into this category. These are patient campaigns and want to make the domain "feel normal and official". They won't do anything public with the domain such as SEO tweaking or link spam, they'll use these domains only for specific targeted one-off low-noise attacks. They're relying on staff to see that the domain has been connected to your service for years and is likely just a domain someone in marketing purchased and forgot about. This is exceptionally rare.
Regarding point two, OP should connect to a VPN in Japan or somewhere he very isn't, use incognito mode, and see if the same content is served. I've seen hacked sites that are set up to serve normal content to where the attacker thinks the owner of the site lives, but serve phishing content or malware or whatever to everywhere else.
A 301 fits that bill because then the owners browser even when traveling will serve the good content
Our service testlocal.ly can grab screenshots for you from different countries really quickly if you want a free check.
Oh hey, I've used your site before. Thanks for setting it up!
One quick point of feedback: The "Learn more about our features and pricing" button appears to be broken, at least on Chrome Android.
The click gets intercepted by the registration form somehow, like by some type of overly-broad selector targeting "form button" or similar.
Instead of being taken to the pricing page, it takes me to the next step of the form, which I don't want to fill out before seeing the pricing.
Can you get Google Safe Search to do that? I feel like my reports fall on deaf ears because SMS spammer's URLs would only serve 'bad' pages to $MyCountry (and nowadays do it behind a captcha, fuck you hcaptcha).
I have seen attacks where directly visiting the site doesn't show anything out of the ordinary, but visits coming from Google (referer) show different content. Have also seen ones where only User-Agent: Googlebot would see the modified version of the site.
(I doubt that is the case in OP's situation, but I have seen both of those methods of "hiding" multiple times now)
Yes, this is how most Wordpress malware works - they inject/publish ad or keyword spam content on the site if the user agent is googlebot. Regular users don't get the ads. It's partially why most people never realise their site has been hacked.
Scams on every possible level - the internet has become so depressing.
Doesn't Google have countermeasures against this?
Or, try a mobile user-agent. I've seen loads of phishing pages that will only serve their malicious payloads to phones - this is especially common with the scams that are sent via SMS.
Yeah this is a good call-out. If the site is being used for drive-by or targeted malware there are other checks that may be happening alongside the redirect such as user agent, country of origin (like you mentioned), plugins installed, OS, or even time of day.
If they detect something that matches what they want, they may throw some intermediate 301's to pages that attempt to infect the user with something still ultimately redirecting to the "normal" page.
Just a note 301s are super sticky and browsers cache them even across incognito modes. Your best bet is to use a new browser after reconnecting to avoid false results.
On Chromium-based browsers, if you open the Developer Tools (F12 or Inspect in right click) and you go to the Network tab, you can click 'Disable Cache'.
In my experience, this solves the sticky 301 issue and you should have no issues with cached 301s anymore.
Works perfect for these kind of investigations or if you made a mistake during site development.
Of course, there are ways to clear it but that’s never something you could expect a non-technical user to do.
Really? That seems like a fantastic way to fingerprint people. I would be a bit surprised if that was the case...
(Fingerprint usage: have https://myfingerprint.example.com 301 to https://myfingerprint.example.com/unique_id_3b136c1cb, then embed https://myfingerprint.example.com in an iframe and see which request is made.)
I'm not GP but a decade ago when I started out as a web developer I made the mistake of using 301s in production and at the time we never figured out how to get the browser to re-learn the responses for those pages without drastic measures.
I still never use 301s for that reason. Things may have changed, but I dare not try!
> I still never use 301s for that reason. Things may have changed, but I dare not try!
I use 301 for http:->https: redirects because (a) I doubt we're going back, (b) it prevents some cleartext leaks (like the Host header), and (c) it is slightly cheaper.
> we never figured out how to get the browser to re-learn the responses for those pages without drastic measures.
If you control the target URL it is easy, just redirect back. Seriously: The browser won't loop, it'll just fetch the content again and now not seeing a 301 will forget that nonsense ever happened. This is why 301 is usually a fine default for same-site redirects, or if the redirect target is encoded in the URL (such as in tracking URLs).
The big no-no is don't 301 to a URL you can't control unless you have the appropriate Cache-Control headers on the redirect.
Isn't there a https upgrade header specifically for this kind of thing?
Not to my knowledge. How exactly do you think it works?
426 Upgrade Required
> If you control the target URL it is easy, just redirect back. Seriously: The browser won't loop
Just uh... don't do this if you have a CDN infront of your site. We had an incident where Cloudfront cached the 301's in both directions
Yeah that's a good point, but one way to think about a CDN is like a web browser that you control, so I say do it even with a CDN and remember you can always just flush the "browser" cache! (or in cloudfront's case: create an invalidation and wait a few seconds)
Interesting use case actually. I had never thought of this. I wonder if it’s used in the wild
You can disable caching in Firefox's developer tools, this covers such cached redirects. Very useful combined with a persistent log of network activity to avoid clears after redirects.
Try curling the urls with a referrer of Google.
There's a related site compromise where a hacked webserver behaves normally except, when the referrer is google.com, it adds a JavaScript redirect to the end of any page.
You go to example.com, everything looks normal. You click a link to example.com, you end up on a page selling herbal dick pills. Site owner yells at Google thinking it's their fault. Googlebot never gets served the redirect.
You should be able to do the same thing with 301 redirects.
I think the first one is pretty likely.
OP, you can search for "site:getexample.com" which will list you any pages that have been indexed for that domain. They might have just redirected the homepage. Worth a shot.
I would expect the certificate mismatch to prevent this.
The certificate mismatch does not play any role in this SEO tactic. It just is not a factor.
I was thinking of CNAMEs.
Just speculating here, but would it be possible that the redirecting domains could actually overtake the original site in terms of search rank, etc? If yes, this could be preparation for a semi-targeted phishing campaign:
1) set up plausibly-named fake domains that redirect to example.com
2) ensure that the fake domains rank higher than the original domain for "example" searches.
3) after a while, people have gotten used to accessing the service through the fake domains or might even think those are the official domains.
4) pull up the net by replacing the redirect with phishing pages. Suddenly, everyone googling for the service will end up on a phishing site, without any obvious way to fix the situation.
Phishers could also run this scheme for lots of sites in parallel, without needing to have some specific interest in any of them.
Edit: Seems like the semantics of the 301 redirect should prevent this from working though.
It could be a combo of 1 and 3: a competitor (or someone who thinks they might be in the future) ages those domains, then points it to their own product later.
This is another great call-out and semi-common. I can definitely get blinded by my security focus but shady business tactics drive a lot of these similar domain purchases for exactly the reason you described.
Bait and switch? Get users t bookmark the joinexample.com, and the others, and once they notice that people keep going to your side via their domain names, they will switch, make a fake "change password" and will be ripped off.
one another scenario is that if you open the domain from browser, they will do 301 redirect, but for traffic coming from Google/search engine, they will show their actual content.
If this is done with SEO in mind, at first they will also do a redirect for Google Bot.
Then they build links to their domains. Once it has more backlinks than the real domain, the redirect is removed.
I'd add canonical link elements to your html and http headers in order to reduce the chances of subversion somehow. The whole thing feels really weird to me.
I'll add another scenario I've personally experienced:
- Reaching out in good-faith with an offer to sell the domain to you. I've had that happen in the past and before receiving the email the person directed the domain to my official website to show good will. I purchased the domain and now own it.
Not saying this is the case here, but just wanted to throw a legitimate scenario into the mix. They should have reached out by now if this was the case.
Their play is to send emails with those domains but in the emails claiming to be you and when people reading the email go to the domain, they see your page (they got redirected).
This sounds like the most plausible hypothesis.
Wow. Yeah that's genius. It would definitely catch me as I just visit the domain to see if it's legit and don't think about redirects. e.g. gogle.com -> google.com
Nothing new. I used to create fake, for example, myspace login pages, host them somewhere, harvest the credentials then redirect back to myspace.com login
They'll weaponize them at some point. How exactly is to be seen, but if people associate your product with domains you do not control (e.g. via SEO searches and hyperlinks left in public places), then everyone is on the hook the moment these domains stop redirecting to your service.
Yes, they can send legit-looking email with getexample.com, then people will accept those emails as trusted, such as lifecycle emails.
Then they send an invoice…
I haven't seen this before but back in the early 2010s I had some India-based group that iframed our SaaS website under a new domain. I caught it early and implemented this fix: https://stackoverflow.com/questions/2896623/how-to-prevent-m...
I think this was a common attack vector around then, but is no longer common.
Seeing Google’s Picasa mentioned in an answer on that stackoverflow was a real throwback
Stupid question:
Can you not detect and prevent this based on the HTTP referrer? Maybe reroute to goatse or something....
I'm sure I don't really have to point this out, but...
The last thing you would ever want to do is associate your domain name with gross, offensive content like this. The web is crawled all the time for snapshot data.
Additionally, you're more likely to cause your own (potential) users to stumble on this than anything else.
IMO, the best policy is almost always transparency. If you were to redirect users (and referrer-based redirects are a fragile thing), send them to a phishing/spam awareness page and explain that they most likely arrived from such a source.
Pretty sure content-securty-policy headers can prevent this type of attack these days for browsers that support them. Check out the frame-ancestors CSP directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...
Consider rerouting to a picture of an egg in an soft-boiled egg cup with an uncanny resemblance to male anatomy.
It’s possible `/` redirects but other hidden routes phish. If someone gets e.g.: a fake password reset email, it might help the attacker bypass sanity checks users make.
Also helps create phishing report "false" flags.
If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.
Just had a look - it appears you’ve got nine .com domains registered with your brand name in the same second on GoDaddy: explore/get/join/meet/my/team/the/tryEXAMPLE.com and EXAMPLEconnect.com.
The Cloudflare redirect likely has GoDaddy underneath, based on what’s visible at myEXAMPLE.com/lander and others.
Half of the domains are set for Outlook Mail, the other for Google Mail which points to a potential email game.
It doesn’t make things safer that your brand name is a top-400 frequency word in one of the European languages. Not owning your .com and having a dozen businesses with similar names just compounds the risk.
What to do really depends on the specifics of your case, including trademark and competition factors. If you’re stuck, feel free to ping me at aghackernews [at] gmail.
Another possibility: Does your example.com point to something with an ideological or humanitarian goal?
There was a humanitarian charity I've donated to, and I saw people erroneously linking to the wrong URLs when spreading news of it. (Say, `foobar.org` and `boofar.com` when the charity is at `boofar.org`.)
So, I just bought the URLs and had them redirect to the correct URL, before a bad actor could snap them up.
Check if your site has any manual actions against it. https://support.google.com/webmasters/answer/9044175?sjid=11....
They might be trying to create toxic back links to their domains and if those domains 301 to your domain, I believe this can negatively impact the SEO of your domain (from what I read). If so you can try to disavow them https://support.google.com/webmasters/answer/2648487?hl=en
Phishing. Regular visits to these domains will 301 redirect them to you, but there's at least one URL that will instead be handled by the scammers themselves.
They'll then send out an email campaign with a From: address in the counterfeit domain (which will have valid SPF/DKIM/whatever), a subject like "Example.com: You've been invited to join a project!", quickly-come-see-this-secret-stuff body copy, and a call-to-action button linked to that URL.
The page hosted on the URL will have your branding and everything, and collect a bunch of personal information and/or access credentials for the scammers.
Taking down this stuff is tedious, but you can try -- least you can do for now is display a prominent 'this is not an authorized example.com domain' warning for inbound visits from these redirects, create a public Knowledge Base-like article warning about this abuse as well (making very clear this has nothing to do with you), and block the domains involved on your inbound mail server.
Silver lining: apparently your SaaS is successful enough to be used as a lure for scammers. Congrats?
You cannot detect the redirect, so you cannot display any such warning.
Can't you check the Referer?
No: https://news.ycombinator.com/item?id=42817750
I did this for a fraudulent health product. They had .org but not .com. Registered .com and redirected it. Waited for SEO to pick up on it. Created the page calling it out as fraud. Created some social media accounts and put the .com in the about info. Started commenting on their posts, anyone that looked at the fake profiles would find my page with info on why it was fraudulent.
I think you can check the HTTP_REFERER header and block the redirect using your back-end code, like PHP or Node or Python, not sure what tech stack you are using.
The right play might be to have a custom landing page or header / popup on your site indicating that they were referred by a fraudulent domain, and to please bookmark your proper domain / report if this was via an email link. The traffic might be good, just coming in through a bad actor.
No, just redirect back to HTTP_REFERER. Why?
The user's browser will display a redirect loop error; and most importantly, they won't see your domain.
It keeps your name out of it and makes the email domain look even more fishy.
If somebody is using your website to phish, it almost certainly means they are targeting people who legitimately want your services. It is an executive decision, but I personally would let people know, and take the free advertising.
Redirecting back to the referer will not create a redirect loop. The referer is the URL of the site that linked to the redirect, not the redirect itself. The redirect does not alter the referer in any way. In many cases, there will be no referer at all.
I don't know why everyone seems to think that HTTP redirects are visible in Referer (or Origin or any other header), but that's just not the case: HTTP redirects are completely transparent to the destination server.
> I don't know why everyone seems to think that HTTP redirects are visible in Referer
They would be if it's a same-origin redirect, no? And I was under the impression that 3xx also set it cross origin (barring a referrer-policy header), though I'm less confident now. (I can't test it ATM).
Edit: I am clearly confused. The browser preserves the original referer when performing a 3xx, as you said.
You can do the same with a load balancer or reverse proxy like nginx, and I’d generally prefer do to so at that layer.
If I was running the sites 301 redirect from, I'd be setting a referrer policy to prevent the browser from sending the referrer header.
The referer is the site that sent the user to the redirect, not the redirect itself. You cannot detect 301s from the destination only.
IMHO you should take action ASAP - at the cost of sacrificing all traffic coming from them. Regardless of their endgame, I'd just detect the HTTP referer and redirect back to them: crawlers and browsers will detect the redirect loop and happily complain about their domain. This will render their redirects ineffective, eg. any phishing attempt will have broken links.
This is preferable rather than returning 404, 403, or warning users something fishy is going on - since anything you return from your site will have browsers and crawlers complaining about your site, and your URL/contents might suffer penalties or deindexing as a result.
Edit: as others have noted, the HTTP referer is not really useful most of the time - if at all (though legitimate, known good referrers may exist).
So what's left is 1) filing a DMCA request with their registrar and 2) hosting provider, 3) checking offending inbound links and using Google’s Disavow Links tool. And if they're plagiarizing some contents, also 4) asking Google to remove infringing pages from their index. I had to do the latter a few years ago.
Whatever their play, detect and drop the redirects. Good job on noticing it early on!
You cannot detect a 301 redirect when you're only in control of the destination.
Not through the referrer?
If you navigate straight to bad-domain.com which redirects to good-domain.com, there will be no referer at all.
If you click a link on red-herring.com which points to bad-domain.com, which then redirects to good-domain.com, the referer will be red-herring.com (if not disabled entirely).
HTTP redirects have no effect on the referer.
Presumably just throwing a 403 if they have this referrer is ok and won't have a weird SEO impact or something?
Couldn't the attacker evade that by sending Referrer-Policy: no-referrer with their redirect?
Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or...
Neither the Origin nor the Referer headers have anything to do with a 301 redirect.
I just tested on firefox and it doesn't send the "Origin" header when using referrerpolicy="no-referrer". It's also not present when navigating using the url bar directly.
Sounds like a security flaw that browsers honor this.
Referer is not a security mechanism.
I didn't say it was. Browsers display an alert when full-screen mode is activated. Full-screen mode isn't a security feature, but the browser does something the website developer can't control so that users can conclude that something fishy isn't going on. I think the ability for one website to hide that they've redirected to another is a vulnerability.
I'm inclined to agree that websites should know when they're the target of a redirect but that has nothing to do with Referer! That header does not work the way so many seem to think it does. As I've laid out elsewhere in this thread, HTTP redirects do not show up in Referer under any circumstances. Right now, one site doesn't have to do anything to "hide" that it's part of a redirect chain, since there's no tracking of that chain to begin with.
No, and the earlier you do the better.
Later it might have
Yes, phishing. It might happen in the future, it could be happening right now, emails from getexample.com, a specific path on getexample.com that doesn't redirect to the real thing, etc.
File a DMCA with the registrar and the hosting provider.
Check out Google’s Disavow Links Tool.
Good tip!
Do you have an affiliate plan, or likely to have one? Maybe they plan to redirect with their affiliate ID at some point?
Don't have an affiliate program, and I don't think we've got anything to suggest we will have one in the future (frankly our billing process is pretty bare bones and affiliate stuff isn't something we're looking at right now).
We're a small bot security/captcha company and pretty regularly get various attacks thrown at us - figuring out if somebody is up to something more along those lines was my main concern.
OT: How did you detect this?
Just curious, seems like something we should all start monitoring for.
I’ve seen one or two domains like that serving 301s to some IPs and their own website to others. This could be a 1000:1 ratio. Then they serve an absolutely ad-infested parking page-style website to those others. And that’s how they skim a little bit of revenue off your customers.
They may also represent you to real life businesses for invoice scams or credit.
Rare but possible scenarios worth considering.
I don't know if it still happens, but Google used to have an issue that I would see in Verbatim mode whereby non-Wikipedia domains would rank as particular Wikipedia pages by redirecting to Wikipedia. I can't seem to replicate it now, so it might be resolved or vary from country to country.
I posted about it at the time, but no one seemed to be able to replicate it:
https://x.com/jfozonx/status/1570710776540958723
Always wondered how much traffic those domains were accumulating. Even though it was an edge case, it must've been quite a lot in aggregate.
could be phishing or a "negative SEO" attack
if the domains being forwarded have had penalties it could leak into your domain SEO value
could also be a mistake :)
Can you provide more information about what's in the headers? Additionally, are there any tracking parameters appended to the URL?
I'm guessing it will look normal but it could provide some insights if something weird is there.
Just had a look - looks like pretty regular/reasonable cloudflare default stuff as far as I can tell. The headers relating to error reporting are the only thing that stand out a little, though it doesn't look unreasonable.
---
Headers
---
HTTP/2 301
date: Fri, 24 Jan 2025 13:59:51 GMT
content-type: text/html
content-length: 167
location: <the website in question>
cache-control: max-age=3600
expires: Fri, 24 Jan 2025 14:59:51 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JZu4FOa%2ByynaFOXWYlxaePF9KdRQ0qGUJkfm1F1aK2m3VEx6idlvWlb5go%2B08hgSog1zm1zuMobXcVK2BkR4mQD0SEGU%2Bzp2oC6mXPgQs%2FUzvOH7LbqAG96jtf9KNqemV8Q%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 90708be24810e8fe-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=59748&min_rtt=41108&rtt_var=43898&sent=7&recv=8&lost=0&retrans=1&sent_bytes=3535&recv_bytes=789&delivery_rate=33797&cwnd=225&unsent_bytes=0&cid=e5052200af7e27a5&ts=145&x=0"
If you are seeing 301s logged on your end that is your site redirecting to another one.
There isn’t a way to see what a referring site did to do the redirect (301 or 302 or even a js redirect) in your logs. All you’ll see is (potentially) the Referer http header.
It’s likely an attempt to steal usernames and passwords for privilege escalation. I had a large corporate client who faced a very similar issue. In their case, the scammer not only registered similar domains but also created Google Ads campaigns targeting those domains. It’s worth investigating further and taking preventative measures to protect your brand and users.
Check this: https://github.com/kgretzky/evilginx2
I don't have the slightest clue about your case, a business,
I have done this once in the past, for a sort of community project. the project was at example.org and I had a VPS with a free domain I didn't use, so I had the example.[something] pointed there for a couple years. Basically just white-hat domain squatting it so no one else snags it up.
In a higher chance, they want to nuke your website, because too many 301 can be harmful to SEO in some rare cases.
If they want to sell you sth, or scam, they won't do 301, because after 301 the juice power will gradually move to your domain, and its pointless to do this before any scams and sales.
Lots of answers about why, and it could be one or many of them. Scammy reasons likely.
A somewhat innocent reason could be that someone sent a newsletter email or shared a link to your site, but mistyped the URL, so to save their users from getting NXDOMAIN errors l, or even worse, someone registering it with illintentions, they registered and 301 redirected to you.
Whatever their plan - if you have a trademark or similar IP protection on "Example", that might be prove extremely useful here. (If not - consider getting some protection ASAP.)
It's been a while, and IANAL - but I've seen both domain resellers and registrars cave pretty quickly when contacted with "that name very obviously infringes on our trademark".
I created this summary for my own reference:
------ SEO Abuse:
Use your legitimate site to boost the SEO rank of unrelated domains. Create toxic backlinks that harm your domain’s SEO ranking if not properly disavowed.
----- Phishing Campaigns:
Send emails with their domains (e.g., fake password reset or invite emails) claiming to be you, redirecting users to phishing pages masquerading as your brand.
Serve phishing content to users based on conditions such as geography, user agent, or time of day.
----- Domain Aging:
"Age" their domain by associating it with your legitimate service to make it appear trustworthy for future malicious activities. Targeted Malware:
Use redirects to detect vulnerable users and deliver malware or drive-by attacks to those targets while serving legitimate content to others. Regional Phishing or Malware Delivery:
Redirect normal traffic to your site while targeting specific regions for phishing or malware, avoiding detection for longer periods.
----- Hijacking Search Results:
Build up search engine traffic for their domains by associating them with your brand and later weaponize the domains (e.g., for phishing or fraud). Affiliate Fraud:
Redirect traffic with an affiliate ID (if you use affiliate links), attempting to claim commissions fraudulently. Brand Impersonation:
Use domains similar to your brand to impersonate your service, potentially harming your reputation.
----- Extortion/Domain Ransom:
Build traffic or search relevance on their domains and later attempt to extort money from you by offering to stop the redirect or sell the domain.
----- Invoice Scams:
Represent your service fraudulently to businesses for invoice scams or credit fraud.
----- Bypass Sanity Checks:
Use 301 redirects to bypass user sanity checks, tricking users into believing they are visiting legitimate sites.
---- Traffic Monetization:
Use ad-infested parking pages for a fraction of the traffic and redirect the rest to your site to generate revenue.
----- Reputation Damage:
Cause your brand to be associated with scam or phishing domains, which can harm public perception and trust.
----- Legal Liability:
Misuse of your brand or domain to commit fraud could lead to potential legal complications for you.
----- False Phishing Reports:
Cause false flags in phishing reports, harming your brand credibility and delaying the takedown of malicious domains. Hidden Routes for Malicious Content:
Redirect general traffic to you while hosting specific malicious routes (e.g., URLs hosting phishing or malware).
----- Impersonation via Emails:
Send emails claiming to be your service, and when users visit the domain, they see your page after a redirect, adding legitimacy to the scam.
----- Scam Awareness Manipulation:
Target your traffic by hosting fraudulent educational content or warnings related to your domain to sow distrust.
-------------------------- Mitigation Strategies: --------------------------
• Monitor Backlinks: Regularly check backlinks and disavow toxic links using Google’s Disavow Links Tool.
• HTTP Referrer Checks: Implement referrer or origin header-based redirects to flag and warn users arriving via fraudulent domains.
• Warn Users: Create a visible warning for users redirected from suspicious domains.
• Trademark/IP Enforcement: Leverage trademark protections to take action against impersonating domains.
• Manual Domain Actions: Periodically check for indexed pages and investigate potential abuses of similar or related domains.
This feels like a never-ending cat and mouse activity, but depending upon your hosting infrastructure, you ought to be able to maintain a list of these domains and 403/404 incoming requests that are being referred from the list. Better to just dump them to an error / scam warning page than 301 them out to somewhere else (to avoid redirect loops)
Are you sure it isn't the marketing team setting up domains for email marketing blasts?
mostly for phishing (if you're successful), to send e-mail looking like from you
This sounds very plausible. Then if they click on their link or manually type in the website corresponding to the e-mail address, it goes to your (very official) site.
Of all the answers presented so far, this one feels the most plausible to me.
it can bypass some whitelisting if you for example have redirects checking if address is example.com but validation is poorly written ("startswith", "contains") , on login page or anywhere else.
Could be for phishing. Is the SAAS in a domain that involves money (payments/crypto etc) ? Then even more likely so. I would drop those redirects at my webserver level. Easy to d0.
Another alternative is that they will hijack those links once they gain traction in search results. Almost as a hedge against your future success.
It's not that easy to find their play.
First and foremost, guide visitors with a popup alert or a banner that you only conduct legitimate business through example.com.
Did you buy used/old/expired domain? Any patterns you can see or a random increase in traffic out of nowhere? What about your competitors?
A 301 redirect isn't a bad thing unless someone has the knowledge to turn it into something bad.
That is a really good problem to have.
If you know that is happening with HTTP you can redirect those requests, based upon origin, to a honeypot of your choosing. It’s free traffic you didn’t have to work for to use as you wish without disruption to your business requirements. You can use that traffic to experiment with new features under experimental branding, AB testing, and more.
The malicious website can stop the Referer header from being sent by setting the Referrer-Policy header to "no-referrer". Also, redirects apparently wouldn't include a Referer header any way, according to kbolino's comment.
First of all you shouldn't rely on HTTP headers for traffic identification as that makes a bunch of assumptions. Secondly, look at the example 301 on MDN which contains no identifying information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301
Redirected traffic is coming from one or more dedicated locations performing the redirection. The source of redirection is still identifiable by IP address. So, if you know the traffic is coming from the a given IP and is a 301 you have all you need. Even after that the identified traffic, if not bots, can then be further tracked via a variety of client-side things like cookies and localStorage.
I don't think that's correct. If server A redirects to server B, then server B does not obtain the IP address of server A, only the IP address of the client. Also, the client does not send a "301 request" to server B, it sends a normal GET request. The 301 code only applies to responses, not requests.
If you have an affliate program, it could for outbound email campaigns to sell your product.
Not a lawyer. Your claim to copyright the term used by your SaaS depends on the website you registered, unless you officially copyrighted the term. Someone having all those websites can also claim the copyright, or claim you didn't enforce it by asking the other websites to be removed.
Trademark is the term you meant here I think.
Many good answers for the why, but can and should you do anything about it?
Sounds like phishing? Try go through their website and see
if the domain is great and strong you can sell it 100% of the price you buy it
Step 1: build reputation as if they are you
Step 2: offer to sell them to you for some inflated price
Step 3: make your life hell if you dont pay
https://prosopo.io/
I can answer this one because it was one of my dirtier SEO tricks.
Expired domains and Domains on the marketplace, with hundreds or thousands of “backlinks” to them, are valuable. In the listing you may see something like “20000 back links.” And those links are usually worthless , spam, and will vanish as soon as you buy. But you can find domains that have real backlinks. TEN backlinks from reputable websites are more valuable than a thousand spam BLs.
You used to be able to buy and run software , “backlinks explorer” to investigate everyone who links to a domain you’re thinking about buying. And you can also research a “20000 backlinks” claim to see if this is just someone spamming that domain all over blogger and forums.
A good domain to buy will have legit backlinks from real websites that the website linked on purpose. If it’s been spammed thousands of times for a “5000 backlinks claim” , expect google to punish it!
Because if you 301 them to your site, google et al assume you’re the legitimate successor to that website and people mean to link to you.
So you come up higher in search.
I’ve used this to be the first or second result on google. And certainly on the first page of results.
It overcomes downranking for being a new domain nobody links to.
Google has its own criteria for evaluating whether your page is spam or a scam, and whether you’re abusing this to promote spam or a scam.
I have a trio of ancient highly ranked domains that I forward to a new page for about a year.
They’ll hit page one on google within a week or two or three.
After I remove the 301s or recycle those domains, the pages usually still come up within the first page of results afterwards.
Before you get too horrified here, I did this to bury a “competitor” who had registered a similar domain name, stolen my entire repo and website from a disgruntled employee, copied all my software and copied my webpage word for word trying to drum up business on my IP. The whole time they mocked me in email about stealing my customers and putting me out of business.
It worked. (Sort of. If you hire them they don’t actually have any idea how to do what I do.)
I did not do this to scam or phish or what have you. I just did this to bump them from #1 on google. Which they got by incorporating with a similar business name and registering with a similar URL.
They did ultimately manage to shut that business down and disrupt it after years of this and I moved on because I have other talents and this venture wasn’t profitable enough to deal with this entity kneecapping me for years and years.
But on my way out, I forwarded all of those domains to a reasonable and legitimate website that’s in the same line of work, resulting in them now dominating the other site in search. So I walked away and used this trick one last time to at least ensure someone searching for this subject would end up in some safe and reasonable hands.
What’s my point in sharing this?
It’s that the other website has no idea I did this, and has no control over it. You might see this and assume the worst about the other website.
someone could be doing this to manipulate SEO or search results over sites they don’t even own. For reasons that might (?) make sense or be well intended.
and for reasons that don’t, or might even be malicious.
* MULTIPLE edits for clarification
Very interesting, someone did that to a project of mine 10 years ago.
They registered $my_projectname.org and loaded my site in a full screen iframe with ads over it.
Traffic was up to 500 users per day that I was never able to monetise, I doubt they got a lot from their iframe either.
But they beat me and some other similar sites on SEO very hard, very fast and I never quite figured out how.
I ended up serving a white page to that referer.
People do this for SEO purposes. They think that this increases the amount of backlinks to their site, thus increasing their rank in Google and other search engines.
This is less true than it used to be, but people still do it.
Sure, but it's not their site, it's mine!
And they're not obvious mouse slips like redirecting googl.com -> google.com - they're more of the form <verb>mydomain.com.
I was mostly interested in what the actual play from them here is tbh
Maybe they’ll try to build up traffic to your site from those domains and then push to sell them to you/extort by removing the redirects?
Just feels like such an odd play lol. If they could organically generate leads/traffic that I'd be willing to get extorted over, then surely they would also have the means to start a marketing agency that I'd be willing to pay far more for?
Backlinks to which site?
The fraudulent domains are only sending traffic to OP.
My guess is that they want to either phish visitors, or they want to ask OP for affiliate revenue, like a digital version of the guys who wash your windshield or your shoes without asking first, and then ask for money.
Or planning to threaten to divert organic traffic through the impersonation domains away from the canonical domain, if you don't pay them.
"Wash your winshield" lol are you South African?