More on verifying backlink redirects

Many backlink cloaks don't insert links that point directly to their intended ad sites; instead, along with changing the <title> of a page, the cloaks insert links that point back to themselves.

For example, cloaked content found on the page might contain links that point back to itself :

<a href="">Canadian Generic Viagra.</a> <a href="">Levitra or Cialis is.</a> <a href="">Levitra or Cialis</a> is 10 mg and the canadiab consequence of growing dose to 20 mg. EDsensual can also be used

When Google crawls, the cloaked content in the page causes the page to be listed in Google searches for "Viagra", "Levitra" and "Cialis". A Google search for "Viagra" would then turn up a result like :


When you click on a link in a Google search result, the URL of the search itself is sent to the target webserver as the HTTP Referer field, and, in the case of Google and many other search engines, the term(s) you search for are part of that Referer URL. For example, searching for "Viagra" and clicking on the resulting result would send the server a request for /welcome/ with a Referer header of :

Redirecting backlink cloaks are coded to look for certain search terms in the HTTP Referer and then, instead of returning a page, return a redirect to an external website. In our example above, the cloak code in the /welcome/ page would redirect to when clicks come in from searches for "Viagra" on Google, Yahoo, etc. :

if (preg_match('/live|msn|yahoo|google|ask|aol/', $_SERVER["HTTP_REFERER"])) { $tabs = array('Viagra','Cialis','Levitra', ... ); foreach($tabs as $tab) { if(preg_match("/$tab/i", $_SERVER["HTTP_REFERER"])) { header("Location:; exit; } } }

Scanning weblogs for redirects and more

If you have access to your website's logs, and if your website logs HTTP Referer headers, you can scan for known keywords in order to track down such redirections. Assuming your website's access log is in /var/log/httpd/access_log, you can scan for interesting requests via :

egrep -i 'viagra|cialis|lavitra' /var/log/httpd/access_log

Example results might look like : - - [10/Mar/2011:15:20:25 -0500] "GET /uploads/.shop/viagra-product-information-doses.html HTTP/1.1" 200 16034 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20100701 Firefox/3.5.11" - - [10/Mar/2011:15:30:15 -0500] "GET / HTTP/1.1" 302 1254 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [10/Mar/2011:16:55:01 -0500] "GET /forms/?Buy-Viagra-On-Line HTTP/1.1" 404 472 "-" "Yeti/1.0 (NHN Corp.;"

The first result (from is a request that actually returned content, and given its path, is likely a non-cloaked backlink ad (and should be further investigated).

The second result (from is likely a cloaked redirect, one that sent a HTTP Redirect (302) due to the presence of a key search term in the Referer (viagra). It too should be further investigated.

The third result (from was not found and may indicate that a backlink was once present at that URL, but is no longer so. If you find that your logs contain a large number of 404'd requests, then filter them out in your search, looking only for requests that either returned content or redirected :

egrep -i 'viagra|cialis|lavitra' /var/log/httpd/access_log | egrep ' 200 | 301 | 302 '

Faking Google searches

If you would like to try and trigger a redirect cloak without actually having to find a specific Google search result to click on, then you need to send the target server a faked HTTP Referer header.

As was mentioned in the Backlinks Overview, this can be done via curl by :

curl -si -e ''

If you would rather use a GUI interface for faking the header, the Firefox Modify Headers add-on comes in handy. Modify Headers allows you to add/modify/remove HTTP headers sent as part of requests. In our case, we are interested in being able to simulate searches for certain keywords at Google, via adding a Referer field indicating a specific search. In the example below, any URLs visited in Firefox would appear to have been as a result of a query to Google for "viagra" :

Modify Headers2

Visiting URLs with this header enabled, should trigger any cloaked redirects looking for searches on "viagra".