 |
|
02.02.09 Preventing Your Redirects From Being Abused  By Manoj Jasra Late last week the Google Webmaster Central Blog discussed site redirects and how they can be potentially compromised by spammers. They also mentioned 7 ways in which you can prevent your site redirects from being abused, read more below: • Change the redirect code to check the referer, since in most cases everyone coming to your redirect script legitimately should come from your site, not a search engine or elsewhere. You may need to be permissive, since some users' browsers may not report a referer, but if you know a user is coming from an external site you can stop or warn them. • If your script should only ever send users to an internal page or file (for example, on a page with file downloads), you should specifically disallow off-site redirects. • Consider using a whitelist of safe destinations. In this case your code would keep a record of all outgoing links, and then check to make sure the redirect is a legitimate destination before forwarding the user on. • Consider signing your redirects. If your website does have a genuine need to provide URL redirects, you can properly hash the destination URL and then include that cryptographic signature as another parameter when doing the redirect. That allows your own site to do URL redirection without opening your URL redirector to the general public.
• If your site is really not using it, just disable or remove the redirect. We have noticed a large number of sites where the only use of the redirect is by spammers-it's probably just a feature left turned on by default. • Use robots.txt to exclude search engines from the redirect scripts on your site. This won't solve the problem completely, as attackers could still use your domain in email spam. Your site will be less attractive to attackers, though, and users won't get tricked via web search results. If your redirect scripts reside in a subfolder with other scripts that don't need to appear in search results, excluding the entire subfolder may even make it harder for spammers to find redirect scripts in the first place. • You can also use Webmaster Tools to remove URLs. Chances are that the spammers have also hacked and abused other sites to generate links to the spammed section of your site. If you see suspicious sites or spammed forums linking in, feel free to report those to us, preferably with the verified spam report form in Webmaster Tools. Comments About the Author: Manoj Jasra is a well respected search marketing veteran having been in the industry since 2002. Manoj currently serves as a Sr. Analyst on the web solutions team at Shaw Communications Inc. Manoj's role primarily consists of providing SEO/PPC and Web Analytics strategies in addition to business insight on Shaw's web properties. Previously, Manoj held the role of Director of Technology at Enquiro Search Solutions where he oversaw Enquiro's product development for search marketing solutions and acted as the lead on both SEO Training and Enquiro's Web Analytics approach. Check out Manoj's well read blog, Web Analytics World, which focuses on his insight in Search Marketing, Mobile, Technology and of course, Web Analytics. You can contact Manoj at manoj.jasra@gmail.com |
||||||||
|
| ||
-- DevWebProBR is an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 © 2009 iEntry Inc. All Rights Reserved Privacy Policy Legal
|
