
Affiliate Program Overkill Part 1: The Cloaker
Affiliate Program Overkill Part 2: Scaling The Operation
In the last two parts I told you how I created my own cloaker and how I started to scale my operation.
But when I read it I can imagine that it´s very hard to understand what I did and how I did it.
So in this part I will explain how the system works.
I thought when I explain it with some images then probably it´s easier to understand.
Now I see that it probably only visualizes how complicated the shit is.
I want to show it anyway so that you can see what weird stuff sometimes comes up in my mind.
The Beginning
It all started with a banned account at a trafficsource.
To prevent that this happens again I thought about ways to avoid it.
Then I just started to build a cloaker.
It was very basic, pure PHP and with no databases.
In the first version I only used IP addresses, locations and specific URL parameters to check if the traffic is “Good” or “Bad”.
The flow was

The next step was basically the same.
Only difference is that now the cloaker creates CSV files to track many different elements from the traffic.
Starting to track data

The Good.csv file is for whitelisted IPs and ISPs.
The Bad.csv id for blacklisted IPs and ISPs.
The New.csv is for data that is neither in blacklist nor in whitelist.
At this time the problem was that I had to put the cloaker PHP file in every folder for my campaigns separately.
And when I had to change the file I had to do it for all files in all folders one by one.
So the next step was to improve the cloaker so that all campaigns can access the same cloaker PHP file.
That way I only have one file and only need to make changes once.
Now my folder structure was like this
Only one cloaker file

In the main folder was the cloaker file.
Then there were subfolders for each traffic source and in the trafficsource folders were folders for each campaign.
The traffic now wasn´t send to the cloaker file anymore.
Instead it was sent to files in the campaigns folders and these files just included the cloaker.php.
The cloaker then checked the traffic and based on the result it gave a TRUE or FALSE.
When TRUE the traffic got redirected to a safe site, when not TRUE traffic got redirected to affiliate program.
So now the flow was like this

The traffic went to the campaigns where the cloaker was included.
When traffic was safe it got redirected through a fake site where the referrer is changed and then redirected to the affiliate program.
Also now all campaigns tracked the data for good/bad/new traffic in CSV files in the campaign folders.
Additionally the cloaker created CSV files by country in the main folder.
This worked pretty good so far but the problem was that for each campaign I could only promote one affiliate program.
But I wanted to promote more programs in one campaign.
As you can read in the last part, I ran CPV traffic where each target was an URL.
I wanted to redirect specific targets to specific destinations.
For this I created a new script.
Multi Destination Redirect

Now I can redirect each target to separate destinations.
So traffic flow was same as before.
Campaign file included the cloaker and the cloaker checked the traffic and sent result.
But now the campagn file additionally sent the target and the campaign ID from the new script to the site where the referrer gets faked.
Then the fake site can grab the corresponding destination and send the user to the appropriate destinations.
For little bit entertainment here is some code so that you can understand the stuff better.
Coding for nerds
<?php
$keywordholen = strtolower($_GET['keyword']);
$keyword = str_replace('www.', '', $keywordholen);
$kampagne = '123';
$sub_id = 's2';
$trackid = 'abcde';
$useragent = $_SERVER['HTTP_USER_AGENT'];
include("../../trackall.inc.php");
if ((trackall()===true) {
header('Location: https://safesite.com');
}
else {
header( 'Location: https://fakesite.com/ ?mn=123456789&keyword='.$keyword.' &kampagne='.$kampagne.'&sub_id='.$sub_id.' &trackid='.$trackid);
}
die;
?>
The code above is from the campaign file.
Cloaker gets included and traffic is checked.
Based on results the traffic gets redirected.
When the traffic is clean it gets redirected to the site to fake the referrer and from there to the affililate programs.
Here is the code for it
<?php
// Redirect By SubID
define('CHECK_FOR_TABLES',false);
//require config file with database connection and other basic things
require_once 'config.php';
$kampagne=123;
$subid=$db->real_escape_string($_POST['keyword']);
$res=$db->query('SELECT redirect FROM subids WHERE subid="'.$subid.'" AND campaign_id='.$kampagne);
if ($res->num_rows>0)
{
$redirect_to=$res->fetch_row();
$redirect_to=$redirect_to[0];
}
else
{
//set default redirect
$redirect_to='safesite.com';
}
//Random String
function randomstring($length = 25) {
// $chars - String aller erlaubten Zahlen
$chars = "abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
// Funktionsstart
srand((double)microtime()*1000000);
$i = 0; // Counter auf null
while ($i < $length) { // Schleife solange $i kleiner $length
// Holen eines zufälligen Zeichens
$num = rand() % strlen($chars);
// Ausführen von substr zum wählen eines Zeichens
$tmp = substr($chars, $num, 1);
// Anhängen des Zeichens
$pass = $pass . $tmp;
// $i++ um den Counter um eins zu erhöhen
$i++;
}
// Schleife wird beendet und
// $pass (Zufallsstring) zurück gegeben
return $pass;
}
$myrand = randomstring(25);
//CPAR Settings
$magic_number = 123456789; // Any number you choose except ZERO!
//$cpa_offer_url = $redirect_to;
//Don't edit below this line unless you know what you are doing.
if (isset($_GET['mn']) && $_GET['mn']==$magic_number){
echo '<html><head></head><body><form action="' . 'http://'.$_SERVER['HTTP_HOST']. $_SERVER['PHP_SELF']."? trackingid=".$myrand . '" method="post" id="form1">
<input type="hidden" name="mn" value="' . $magic_number . '" />
<input type="hidden" name="keyword" value="'.$_GET['keyword'].'" /></form>
<script language="JavaScript">
document.getElementById(\'form1\'). submit();</script></body></html>';
return true;
exit();
}
if ($_POST['mn']==$magic_number){
echo '<html><head></head><body><form action="' . 'http://'.$_SERVER['HTTP_HOST']. $_SERVER['PHP_SELF']."? trackingid=".$myrand . '" method="post" id="form1">
<input type="hidden" name="mn" value="' . $magic_number . $magic_number . '" />
<input type="hidden" name="keyword" value="'.$_POST['keyword'].'" /></form>
<script language="JavaScript">
document.getElementById(\'form1\'). submit();</script></body></html>';
return true;
exit();
}
$dom = preg_replace( "/^www\./", "", $_SERVER[ 'HTTP_HOST' ] ) ;
$ref= $_SERVER['HTTP_REFERER'];
if (((strpos($ref, $dom)!=FALSE) || (trim($ref)=="" ) ) && ($_POST['mn']==$magic_number.$magic_number)){
header( 'Location: http://' . $redirect_to);
exit();
}
// Whitehat Site
echo "unique tracking id= $myrand<br/>";
echo "written to file";
?>
This code connects to the script for targets and destinations and grabs the matching destination for the target that gets sent in the URL.
Then it generates a random string that we need later.
Next the script checks if the magic number matches to the one from the incoming URL.
If yes it does few redirects to fake the referrer and finally the user gets redirected to the appropriate destination.
When the magic number doesn´t match it just shows a text on the fake site
“unique tracking id= RANDOMNUMBER
written to file”
I know, it´s really cheap but that way I could run hundreds of programs without creating real and good looking fake sites for each program.
Summary
Usually in this part I wanted to explain what I did.
I thought probably it´s good to create some graphics about the flow and stuff so that you can better understand the whole stuff.
But now where I see it it still looks complicated like fuck.
I hope you still get it and if not you enjoyed reading it nontheless.
Because the real madness starts in the next and final part
Well for someone that isn’t a coder, that is some complicated looking sh$t. I mean I have coded in various languages (though not for some time, true), and not in PHP). And looking at this I don’t really get what is happening. So someone who is perhaps an outlier on logic and intelligence, but not a coder, can make this… but can the average person out there? Would such a thing be needed to do the sort of marketing you do now?
Also… is this illegal, or just against the terms of certain companies? And.. how do you decide what is a ‘good incoming’ and ‘what is bad’? Presumably you have a list if IPs. But a company that is really trying to police usage of their product/affiliate could so so from new/random IPs?
Yes, it really looks complicated.
And you only see the smallest part of it.
The posts are the first time where I talk about that stuff and where I try to explain it.
And boy, now I realize myself how complicated the setup is and how confusing it probably sounds for others.
Because of that I decided to write this post, to explain better what´s going on together with some images.
When I wrote the post yesterday I the realized that it probably won´t help that much to explain it.
It just brings the confusing text into images 😀
Nice, what languages?
Probably you are right.
I never learned a coding language so in the end I don´t give a fuck about proper syntax and stuff.
I just want to get my stuff running.
So a real coder maybe won´t understand the stuff that good because I just don´t play by the rules you usually learn.
Probably not
No, what I do now has nothing to do with it.
But I still have the setup running.
Some campaigns even since 2013 or so.
Not illegal, even if it would be I wouldn´t tell it here 😀
I would say it´s just a clever way of marketing.
Short answer, good is all traffic I want to have; bad is the rest 😉
It depends on the campaign and can change a bit based on requirements.
Sure they could.
But again, it´s nothing illegal and companies often are very happy with my traffic.
Once I even got contacted by the highest affiliate manager from on of the biggest TelCo companies to check what they can do that I send more traffic.
Also received some free smartphones and stuff.
On the other hand I also got accounts banned for this.
In the end it depends on the affiliate programs.
Some are cool with it and happy about good traffic and sales, some don´t like it.
Thanks for the extensive reply! Please keep the interesting articles coming.
(I’ve previously used Fortran, 6800, ML, etc – mostly dated).